CVE-2025-62881

Vulnerability

Overview

The WP-Lister Lite for eBay plugin (versions up to and including 3.8.3) contains a missing authorization vulnerability. The plugin fails to properly enforce access control checks—such as capability verification or nonce validation—on certain functions, leading to a broken access control condition [1].

Exploitation

Details

An attacker with minimal privileges (e.g., a subscriber or contributor) can exploit this flaw by sending crafted HTTP requests to the vulnerable endpoints. No special network position is required; the attack can be carried out remotely. The lack of proper authorization allows the attacker to execute actions that should be restricted to higher-privileged users, such as administrators [1].

Impact

Successful exploitation enables an unprivileged user to perform unauthorized operations, potentially altering plugin settings, accessing sensitive data, or disrupting site functionality. While the CVSS score is 4.3 (Medium), the vulnerability is considered low severity by the vendor, but it may be targeted in mass-exploit campaigns due to the widespread use of the plugin [1].

Mitigation

The vulnerability is patched in version 3.8.5 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consult your hosting provider for alternative mitigations [1].